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(54) System and method for providing anonymous remailing and filtering of electronic mail 



(57) A system for, and method of, generating an ali- 
as source address for an electronic mail ('e-mail') mes- 
sage having a real source address and a destination ad- 
dress and a computer network, such as the Internet, in- 
cluding the system or the method. In one embodiment, 
the system includes an alias source address generator 
that employs the destination address to generate the ali- 
as source address. The system further includes an alias 
source address subst'itutor that substitutes the alias 
source address for the real source address. This re- 
moves the real source address from the e-mail message 
and thereby renders the sender, located at the real 
source address, anonymous. Further-described are 
systems and methods for forwarding reply e-mail and 
filtering reply e-mail based on alias source address. 



FIG. 3 

( START > -310 



300 



COffESS 
REAL SOURCE 
ADTJRESS 






DJWTE 
K5 HASH OF 
DESTINATION 

AOORESS 






AffBI 

BYTE 
HQ 
SECHE 


)NUU 
SAW 
IFT 
T KEY 



-320 



-330 



^-3<0 



CM 
< 
00 

o> 

O) 

o> 

00 

o 

0L 
LU 



ENOW? 
KMFIED 
REAL SOURCE 
AOORESS 



^350 



APPB0 
SmiKSAti 
APPLY H-BASE 



Prfrted by Jouve. 75001 FWBS (FR) 



EP0 899 918 A2 



Description 

Cross Reference to Related Application 

[0001] The present invention is related to that dis- 
closed in EP-A-0855659. 

Technical Field of the Invention 

[0002] The present invention is directed, in general, 
to computer networks and, more specifically, to a sys- 
tem and method that provides for anonymous transmis- 
sion of electronic mail ("e-mail') over a network and fil- 
tering of incoming e-mail based, at least in part, on the 
destination address of the e-mail. 

Background of the Invention 

[0003] In recent years, the availability of more effi- 
cient, reliable and cost-effective computers and net- 
working tools has allowed many companies and individ- 
uals (collectively, "users') to become involved in an ev- 
er-growing electronic community. The immeasurable 
gains in technology experienced by the computer indus- 
try overall have allowed these users to rely on commer- 
cially available computers, such as personal computers 
("PCS"), to meet their information processing and com- 
munication needs. To that end, PC manufacturers allow 
users to equip most PCS with an interface (such as a 
modem) that may be used for communication over net- 
works, such as the Internet. The Internet is a well-known 
collection of networks (e.g., public and private voice, da- 
ta, video and multimedia networks) that cooperate using 
common protocols to form a worldwide network of net- 
works. 

[0004] Cooperation often includes the communication 
of electronic mail ("e-mail") from one user (a "sender") 
to another (a "recipient"). One conventional e-mail pro- 
tocol employed over the Internet, Standard Mail Trans- 
fer Protocol ("SMTP"), mandates that each e-mail mes- 
sage body have a header that includes the sender's e- 
mail address (a "source address") and the recipient's e- 
mail address (a "destination address"). All well-known 
e-mail protocols mandate inclusion of a source address 
to allow the recipient to send e-mail back to the sender. 
[0005] Privacy has become a primary concern in to- 
day's computer-based society. Users want to be able to 
express themselves in words, sounds or pictures over 
a computer network, but may not want to be identified 
as the source. In particular, users want to keep their true 
identity secret, but still wish to receive e-mail addressed 
to them. This need for privacy spans the spectrum of 
communication, from business transactions to personal 
thoughts. Unfortunately, mandated inclusion of the 
source address with the sender's -mail gives away the 
sender's identity, compromising privacy. 
[0006] One solution to this problem is a so-called 
■anonymous remailer." An anonymous remailer is a 



computer system, coupled to the network, that allows 
bidirectional e-mail communication over the network 
without compromising the sender's identity. The recipi- 
ent cannot discover the true identity of the sender unless 
5 the sender encloses identifying information in the body 
of the e-mail message itself. 

[0007] Anonymous remailing is well known in the art. 
The most famous Internet remailer to date has been the 
Finnish "anon.penet.fi" remailer, which, at its zenith, 
10 boasted more than 500,000 users. 

[0008] To support bidirectional e-mailing, convention- 
al remailers must maintain a translation table that cor- 
relates real user addresses and alias source addresses 
(usually taking the form "xxxxxx@remailer.address"). 
is Upon receipt of a message from an anonymous sender, 
the remailer replaces the sender's real source address 
with a corresponding alias source address and remails 
the message to the intended recipient. The recipient can 
reply to the message, but only by using the anonymous 
20 sender's alias source address. Upon receipt of a reply 
from the recipient, the remailer substitutes the anony- 
mous sender's real source address for the alias source 
address and remails the reply to the anonymous sender. 
[0009] The main problem with conventional remailers 
25 is the translation table itself. Because the table contains 
detailed real source addresses and the correlations be- 
tween such real source addresses and alias source ad- 
dresses, both hackers and law enforcement agencies 
covet it. Thus, the person maintaining the remailer must 
30 both protect the translation table from hackers and face 
thorny legal questions about the privacy of the senders 
who trust him to protect their true identity. 
[0010] Even though a sender may preserve his ano- 
nymity by using an anonymous remailer, he still may be 
35 subjected to receiving a barrage of unsolicited, usually 
computer-generated e-mail ("junk" e-mail or "spam," in 
today's Internet parlance), because the sender still may 
be reached via his alias source address. Currently, the 
only automatic way to protect against such unsolicited 
40 e-mail is to filter based on the source address contained 
in the header or specific words contained in the body. 
Unfortunately, filtering based on source address or 
words in the body of the message is crude at best, risk- 
ing both the unintended deletion of valid e-mail messag- 
es es and unintended retention of junk. Of course, manual 
filtering remains an option, but at the cost of time and 
with the risk of exposure to any offensive subject matter 
contained in such e-mail messages. 
[0011] Therefore, what is needed in the art is an im- 
so proved remailer, a method of remailing and a more ef- 
fective way to filter unsolicited e-mail messages auto- 
matically. 
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Summary of the Invention 

[0012] To address the above-discussed deficiencies 
of the prior art, the present invention introduces a sys- 
tem f r and method of, generating an alias source ad- 
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dress for an electronic mail ("e-mail") message having 
a real source address and a destination address and a 
computer network, such as the Internet, including the 
system or the method. In one embodiment, the system 
includes an alias source address generator that em- 
ploys the destination address to generate the alias 
source address. The system further includes an alias 
source address substitutor that substitutes the alias 
source address for the real source address. This re- 
moves the real source address from the e-mail message 
and thereby renders the sender, located at the real 
source address, anonymous. The system further in- 
cludes an e-mail forwarder that receives e-mail ad- 
dressed to the alias source address, computes the real 
source address, and forwards the e-mail to the real 
source address. 

[0013] The sender is therefore provided with a set of 
alias source addresses that may, in some embodiments 
of the present invention, be unique to each destination 
address. However, since the system automatically pro- 
vides generation and substitution of source addresses, 
the user is freed of the task of tracking multiple alias 
source addresses. 

[0014] In one embodiment of the present invention, 
the alias source address includes an encrypted version 
of the real source address, among other information. In 
this way, the e-mail forwarder can compute the real 
source address given the alias source address without 
any need for a translation table from alias source ad- 
dresses to real source addresses. Another advantage 
of this embodiment is that the alias generator does not 
have to communicate with the e-mail forwarder. Thus 
the system may comprise any number of alias genera- 
tors and any number of e-mail forwarders. Alias gener- 
ators and e-mail forwarders may be added and removed 
from the system at any time. 

[0015] In one embodiment of the present invention, 
the system further includes an e-mail filter capable of 
filtering incoming reply mail based on the alias source 
address. By causing the alias source address to depend 
upon the destination address, a single sender can have 
a set of different alias source addresses, allowing the 
sender to filter incoming reply mail, if he so desires, 
based upon alias source address. Purveyors of junk e- 
mail can obscure their identity or the content of an un- 
wanted message by many means, but if they want to 
send e-mail successfully to that sender, they must ad- 
dress it to the sender's exact same alias source ad- 
dress. The alias source address, when thus used as a 
destination address, provides users an effective way to 
filter junk e-mail and to determine, if they so desire, 
where the junk e-mail purveyor obtained the alias 
source address. 

[0016] The ability t filter -mail based on the alias 
source addr ss is independent of the particular method 
of generation of the alias sourc address. To allow e- 
mail filtering by this method, the alias source addr ss 
should depend upon th d stination address. The alias 



source address generator may advantageously have 
one or more of the following three attributes: (1 ) consist- 
ency (the same alias is presented to the same destina- 
tion), (2) uniqueness (the probability is low that twp des- 
tinations are given the same alias) and (3) privacy (the 
recipient cannot determine the real source address giv- 
en the alias source address). 
[0017] In one embodiment of the present invention, 
the system takes the form of a remote anonymous re- 
mailer with which the sender must communicate over a 
network. In an alternative embodiment, the system ex- 
ecutes locally on the sender's computer. As the sender 
generates e-mail messages, alias source addresses are 
determined and added, eliminating a need for the re- 
mote anonymous remailer. 

[0018] The foregoing has outlined, rather broadly, 
preferred and alternative features of the present inven- 
tion so that those skilled in the art may better understand 
the detailed description of the invention that follows. Ad- 
ditional features of the invention will be described here- 
inafter that form the subject of the claims of the inven- 
tion. Those skilled in the art should appreciate that they 
can readily use the disclosed conception and specific 
embodiment as a basis for designing or modifying other 
structures for carrying out the same purposes of the 
present invention. Those skilled in the. art should also 
realize that such equivalent constructions do not depart 
from the spirit and scope of the invention in its broadest 
form. 

Brief Description of the Drawings 

[0019] For a more complete understanding of the 
present invention, reference is now made to the follow- 
ing descriptions taken in conjunction with the accompa- 
nying drawings, wherein like numbers designate like ob- 
jects, and in which: 

FIGURE 1 illustrates a high-level block diagram of 
an exemplary distributed network with which the 
principles of the present invention may be suitably 
used; 

FIGURE 2 illustrates a block diagram of a computer 
system that may be employed in the network of FIG- 
URE 1 to provide an environment within which the 
present invention can operate; 
FIGURE 3 illustrates a flow diagram of one specific 
embodiment of a method of generating an alias 
source address for an e-mail message having a real 
source address and a destination address; and 
FIGURE 4 illustrates a flow diagram of one specific 
embodiment of a method of filtering unwanted e- 
mail messages based on alias source addresses 
and forwarding -mail to the real source address. 

Detailed Description 

[0020] Referring initially to FIGURE 1 , illustrated is a 
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high-level block diagram of an exemplary distributed 
network (generally designated 100) with which the prin- 
ciples of the present invention may be suitably used to 
provide an anonymous remailer that operates without a 
translation table and assigns destination-dependent ali- s 
as source addresses to a sender's e-mail. The distrib- 
uted network 100 illustratively includes a plurality of 
computer systems 110a, 11 0b t 110c, 110d, 110e, 1101, 
110g, 11 Oh, 110i that are illustratively coupled together 
to form the Internet 115. The Internet 115 includes the *o 
World Wide Web, which is not a network itself, but rather 
an "abstraction" maintained on top of the Internet 115 
effected by a combination of browsers, server sites (as 
may be hosted on the plurality of computer systems 
110a, 110b, 110c, 110d, 110e, 110f, 110g, 110h, 110i), « 
HyperText Markup Language ("HTML") pages and the 
like. 

[0021] Although the illustrated embodiment is suitably 
implemented for and used over the Internet 115, the 
principles and broad scope of the present invention may 
be associated with any appropriately arranged compu- 
ter, communications, multimedia or other network, 
whether wired or wireless. Further, though the principles 
of the present invention are illustrated using a single 
computer system, such as one of the plurality of com- 
puter systems 110a, 110b, 110c ( 110d, 110e, 11 Of, 110g, 
11 Oh, 110i, alternate embodiments within the scope of 
the same may include more than a single computer sys- 
tem. 

[0022] The exemplary network 1 00 is assumed to in- 
clude a plurality of (assumed) insecure communication 
channels that operate to intercouple ones of the various 
computer systems 110a, 110b, 110c, 110d, 110e, 11 Of, 
110g, 11 Oh, 110i of the network 100. The concept of 
communication channels is known and allows insecure 
communication of information among ones of the inter- 
coupled computer systems (the Internet employs con- 
ventional communication protocols, such as SMTP, that 
are also known). A distributed network operating system 
executes on at least some of computer systems 110a, 
110b, 110c, 110d, 110e, 110f, 110g, 110h, 110i and may 
manage the insecure communication of information 
therebetween. Distributed network operating systems 
are also known. 

[0023] FIGURE 1 also illustrates first and second us- 
er's computer systems 105a, 105b, which are assumed, 
for purposes of the following discussion, to be associat- 
ed with an e-mail sender and an e-mail recipient, re- 
spectively. Thus, a sender may apply his real source ad- 
dress and a destination address corresponding to the 
recipient to a particular e-mail message and send the e- 
mail message to the recipient via the network 100 and 
the second user's computer. 

[0024] The first user's computer ystem may be as- 
sociated with a particular comput r syst m 11 0a (such 
association den ted by a broken line 1 20. The particular 
computer system 110a acts as a home site for the first 
user's computer system and a provider of Internet serv- 



ice. 

[0025] Turning nowto FIGURE 2, illustrated is a block 
diagram of data processing and storage circuitry, g n- 
eraily designated 200, that may be employed in the net- 
work of FIGURE 1 to provide an environment within 
which the present invention can operate. The circuitry 
200 comprises a processor 210, volatile memory 220. a 
nonvolatile mass storage unit 230 and communication 
circuitry 240. 

[0026] The circuitry 200 illustrated in FIGURE 2 is in- 
tended to represent a wide array of computing plat- 
forms. Accordingly, the circuitry 200 may be a main- 
frame, minicomputer or personal computer ('PC'). The 
present invention is not limited whatsoever to a particu- 
lar class of computing platform. With reference back to 
FIGURE 1 and continuing reference to FIGURE 2, each 
of the plurality of computer systems 110a, 110b, 110c, 
110d, 110e, 11 Of, llOg, 11 Oh, 110i and the first and sec- 
ond user's computer systems 1 05a, 1 05b may have the 
circuitry illustrated in FIGURE 2 associated therewith. 
[0027] The present invention may be embodied as a 
sequence of instructions executable in the data 
processing and storage circuitry 200 to yield an alias 
source address generator, an alias source address sub- 
stitutor, a real source address generator, a real source 
address substitutor and an e-mail filter as the present 
invention provides. 

[0028] Turning now to FIGURE 3, illustrated is a flow 
diagram of one highly specific embodiment of a method, 
generally designated 300, of generating an alias source 
address for an e-mail message having a real source ad- 
dress and a destination address. The method 300 may 
be embodied in an alias source address generator. 
[0029] It should be stated at this point in the discus- 
sion that the method 300 is nothing more than one ex- 
ample of a way to gene rate an alias source address from 
a real source address. The present invention requires 
none of the specifically-recited steps. Instead, the 
present invention requires only that the resulting alias 
source address depend on the destination address. The 
alias source address generator may advantageously 
have one or more of the following three attributes: (1) 
consistency (the same alias is presented to the same 
destination), (2) uniqueness (the probability is low that 
two destinations are given the same alias) and (3) pri- 
vacy (the recipient cannot determine the real source ad- 
dress given the alias source address). 
[0030] The method begins in a start step 310, wherein 
an e-mail message to be remaiied is received from a 
sender at a remailer that operates according to the prin- 
ciples of the present invention. The sender's real source 
address is read from the e-mail message and com- 
pressed in a step 320 to ensure that the alias source 
address that results when the method 300 is complete 
is not xcessively long. Compression may, in the illus- 
trat d embodiment, b variable-length compression 
that dep nds upon the character set used in the send- 
er's mailbox name, domain name and top-level domain. 
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The compression step is, of course, purely optional. 
[0031] Following compression, the method 300 con- 
tinues in a step 330, wherein a hash value of the desti- 
nation address of the e-mail message is computed by 
means of the well-known MD5 algorithm. The destina- 
tion address may be the domain part of a destination e- 
mail address, or it may be the host part of a Uniform 
Resource Locator ("URL") of a World Wide Web form 
that asks the user to provide an e-mail address. From 
the MD5 hash value, two non -overlapping bit fields are 
obtained. In the illustrated embodiment, the first bit field 
is two bits long and the second bit field is eight bits long. 
[0032] Like compression, computation of a hash val- 
ue is purely optional. The only important aspect of the 
step 330 is that the alias source address is caused to 
be based on the destination address of the e-mail mes- 
sage. Modification of the destination address is not re- 
quired to base the alias source address thereon (as will 
be seen below in the description of a more trivial meth- 
od). 

[0033] Next, in a step 340, n null bytes are appended 
to the compressed real source address, where n equals 
the value of the first bit field. Appending the null bytes 
obscures the true length of the real source address. Also 
in the step 340, the second bit field is appended to a 
secret key stored locally in the remailer, thereby produc- 
ing an expanded secret key unique to the destination 
address. While appending null bytes obscures the true 
length of the real source address, appending is unnec- 
essary to the broad scope of the present invention. 
[0034] Next, in a step 350, the compressed real 
source address (with appended null bytes) is encrypted 
according to, for example, the Data Encryption Standard 
("DES") using the expanded secret key unique to the 
destination address as an encryption key. Multiple DES 
passes may be employed further to enhance security. 
[0035] Of course, the type of encryption applied is un- 
important. Encryption does need not to be DES and 
does not need to be symmetrical. In fact, the present 
invention does not require encryption whatsoever 
[0036] Next, in a step 360, the second bit field is ap- 
pended to the encrypted compressed real source ad- 
dress. The result is passed through an m-base conver- 
sion (m being any desired number) to obtain a desired 
string. For a printable alphanumeric string including both 
uppercase and lowercase characters, a base-64 con- 
version can be used. If only lowercase or only upper- 
case characters are desired, a base-32 conversion can 
be used. 

[0037] The method 300 ends in an end step 370, der- 
ivation of the alias source address having been accom- 
plished. As with all of the other steps 31 0 ( 320, 330, 340, 
350, the step 360 is unnecessary, unless the desired 
result is an alias source address consisting of a printable 
string of characters. 

[0038] The alias sourc address may then b substi- 
tuted f r the real sourc address, perhaps, with an alias 
sourc address substitutor. *. 



[0039] Employing the above-described exemplary 
method 300 to an e-mail message having a real source 
address of, for example, "foo_bar@ bell-labs.com " and 
a destination address of "www.yahoo.com" can be con- 

s verted to "wxOnlqlUUEXJxzwVSsfKgW". This can be 
pre-appended to the domain name and top-level domain 
of an exemplary remailer to yield: 
■wxOn1q1UUEXJx2wVSsfKgW@1pwa.com", a desti- 
nation-address-specific, SMTP-valid, alias source ad- 

10 dress. 

[0040] Employing a less complex method wherein the 
compressing, hashing, appending and encrypting, as 
set forth in the method 300 above, do not occurcan yield 
different results. For example, an e-mail message hav- 

15 ing a real source address of, for example, 
foo_bar@bell-labs.com' and a destination address of 
"www.yahoo.com" can be converted to "foo_bar.bell- 
labs.com.www.yahoo.com" (nothing more than a trivial 
string concatenation). This can be pre-appended to the 

20 domain name and top-level domain of an exemplary re- 
mailer to yield: 'www.yahoo.com.foo_bar.bell-labs. 
com@1pwa.com". This far less complex (and less se- 
cure) method falls well within the broad scope of the 
present invention, as well. Note that the steps set forth 

25 in the method 300 are not employed in the less complex 
method. 

[0041] Several things regarding the above-described 
method 300 should be noted. First, the secret key is the 
only data required to be stored at the remailer site. All 

30 of the remaining data are contained in the e-mail mes- 
sage itself. Thus, the translation table of conventional 
remailers is avoided. The secret key can, in fact, be 
compiled into the software that constitutes the remailer. 
[0042] Second, many World Wide Web sites impose 

35 limits on the length of an e-mail address they will accept 
in a form. Since the method 300 produces an alias 
source address that is longer than the reaJ source ad- 
dress, the real source address is initially compressed to 
reduce the extent to which the length of the alias source 

40 address exceeds the length of the real source address. 
Should certain sites truncate the resulting alias source 
address, reply mail employing the truncated alias 
source address will be lost. 

[0043] Third, the number of distinct destination-ad- 
45 dress-specific alias source addresses generated for the 
same real source address is limited to two to the power 
of n, where n is the total length of the bit fields computed 
in step 330. In the illustrated embodiment, the number 
of destination-address-specific alias source addresses 
so generated for the same real source address is 1024. 
This should prove adequate tor most purposes. If the 
second bit fields were longer, the alias source address 
space would correspondingly increase. However, it 
sh uld particularly be noted that the r suiting alias 
55 sourc addresses remain unique to the sender, ev n if 
they do overlap d sanations. 
[0044] Fourth, the above-d scribed method 300 em- 
ploys DES, a well-known secret key encryption algo- 
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rithm that conventionally operates on a 56 bit key. Since 
eight of the bits come from the second bit field, the secret 
key is 48 bits long. If encryption stronger than effective 
48 bit DES is desired, multiple DES passes can be used. 

[0045] The step 350 of the above described method 
300 may employ other symmetric encryption algorithms, 
such as IDEA, or an asymmetric encryption algorithms, 
such as RSA, instead of DES. Furthermore, the step 350 
of the above described method 300 may employ other 
one-way hash functions, such as SHA, instead of MD5. 
Also, the steps 310, 320, 330, 340, 350. 360 of the meth- 
od 300 may performed in any order, omitted or per- 
formed multiple times, as may be appropriate to de- 
grade or enhance security, anonymity, speed or com- 
plexity or to accommodate other design considerations. 
[0046] Finally, it should be noted that the method 300 
is fully reversible, allowing an alias source address (usu- 
ally contained in a reply e-mail) to be translated back 
into a real source address for forwarding back to the 
original sender. This is accomplished by reversing the 
m-base conversion, stripping the second bit field, de- 
crypting (or multiply-decrypting) the resulting string us- 
ing the stored secret key and appended second bit field, 
stripping the null bytes and. finally, decompressing the 
result to yield the real source address. It should be un- 
derstood, however, that the present invention is not lim- 
ited to reversible methods, and can be made only to sup- 
port unidirectional remailing. 

[0047] Turning now to FIGURE 4, illustrated is a flow 
diagram of one embodiment of a method, generally des- 
ignated 400, of filtering unwanted e-mail messages 
based on alias source addresses and forwarding e-mail 
messages to the real source address. The method 400 
may be carried out in an e-mail filter. The described em- 
bodiment of the e-mail forwarder consists of the real 
source address generator and the real source address 
substituter. 

[0048] In one embodiment of the present invention, 
the system further includes an e-mail fitter capable of 
filtering incoming reply mail based on the alias source 
address. By causing the alias source address to depend 
upon the destination address, a single sender can have 
different aliases, allowing the sender to filter incoming 
reply mail, if he so desires, based upon the alias source 
address. Purveyors of junk e-mail can obscure their 
identity or the content of an unwanted message by many 
means, but if they want their e-mail to be returned suc- 
cessfully to the sender at his real source address, they 
are constrained to use exactly the same alias source 
address, thereby providing an effective basis for filtering 
junk e-mail and determining, if they so desire, from what 
destination address the purveyor obtained the alias 
source address. 

[0049] At this point, terminology can become confus- 
ing, because, in the context of a reply, the recipient of 
the original -mail m ssage riginates a. reply e-mail 
message 1 and thereby becomes a sender in his own 



right. Accordingly, to reduce the confusion, the recipient 
will continue to be called the "recipient" and the sender 
will continue to be called the "sender." even though it is 
understood that the reply e-mai! is traveling from the "re- 

s cipient" to the "sender." 

[0050] Accordingly, the method 400 begins in a start 
step 410 and proceeds to a step 420, wherein a reply 
e-mail message is received from the recipient. The 
method 400 continues in a step 430, wherein the alias 

to source address is read from the reply e-mail message. 
Next, the alias source address is compared to alias 
source addresses contained in a sender-supplied list of 
rejected alias source addresses in a decisional step 
440. 

is [0051] If the alias source address matches one of the 
items in the list (taking the YES branch of the decisional 
step 440, the reply e-mail is deleted and the sender 
spared of its receipt. If the alias source address does 
not match any of the items in the list (taking the NO 
20 branch of the decisional step 440, the method continues 
in a step 450 wherein the sender's real source address 
is derived (perhaps by reversing the exemplary method 
300 described above or perhaps by way of a real source 
address generator that generates a real source address 
25 from an alias source address) and substituted into the 
reply e-mail for the alias source address, perhaps by 
way of a real source address substitutor. 
[0052] Next, the reply-e-mail is forwarded to the send- 
er in a step 460. The method ends in an end step 470, 
30 filtered forwarding having been accomplished. 

[0053] As with the method 300,-the steps 410, 420, 
430, 440, 450, 460 of the method 400 may performed 
in any order, omitted or performed multiple times, as 
may be appropriate to degrade or enhance security, an- 
as onymity, speed or complexity or to accommodate other 
design considerations. 

[0054] In an alternative method to the above, the re- 
mailer can simply move the alias source addresses of 
reply e-mail to a field in the header or to the body of the 
40 reply e-mail and forward the reply e-mail to the sender 
without filtering. The sender's e-mail client program can 
then filter the e-mail based upon criteria the sender has 
supplied. 

[0055] Because the alias source address is keyed to 
45 the destination address of the sender-originated e-mail, 
the sender can filter incoming reply e-mail destined for 
a particular alias source address and be assured that 
his other alias source addresses are unaffected. The re- 
cipient has no leeway to alter the alas source address 
so *rf he wants the reply e-mail to be delivered to the appro- 
priate sender. Thus, unwelcome reply e-mail cannot dis- 
guise itself. 

[0056] Although the present invention has been de- 
scribed in detail, those skilled in the art should under- 
ss stand that they can make various changes, substitutions 
and alterations herein without departing from the spirit 
and scope of the invention in its broadest form. 
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Claims 

1 . A system for generating an alias source address for 
an electronic mail message having a real source ad- 
dress and a destination address, comprising: 

an alias source address generator arranged to 
employ said destination address to generate 
said alias source address; and 
an alias source address inserter arranged to 
place said alias source address in said elec- 
tronic mail message. 

2. The system as recited in Claim 1 wherein said alias 
source address generator employs a real source 
address of said electronic mail message and said 
destination address to generate said alias source 
address. 

3. The system as recited in Claim 2 wherein said alias 
source address generator compresses said real 
source address to generate said alias source ad- 
dress. 

4. The system as recited in any of the preceding 
claims wherein said alias source address generator 
employs a secret key to generate said alias source 
address. 

5. The system as recited in any of the preceding 
claims further comprising: 

a real source address generator arranged to 
generate a real source address from said alias 
source address; and 

a real source address inserter, coupled to said 
real source address generator, arranged to 
place said real source address in said electron- 
ic mail message. 

6. The system as recited in Claim 6 wherein said real 
source address inserter is arranged to substitute 
said real source address for said alias source ad- 
dress, said real source address generator and in- 
serter' capable of cooperating to allow electronic 
mail directed to said alias source address to be rout- 
ed to said real source address, said system func- 
tioning as an electronic mail forwarder. 

7. The system as recited in any of the preceding 
claims wherein said alias source address is longer 
than said real source address. 

8. The system as recited in any of the preceding 
claims further comprising an electronic mail filter ca- 
pable of filtering incoming reply mail bas d on said 
alias source address. 



9. The system as recited in any of the preceding 
claims wherein said alias source address inserter 
is arranged to substitute said alias source address 
for said real source address, said real source ad- 

5 dress being removed from said message. 

10. A remailer for coupling to at least one of a plurality 
of computer systems of a computer network, for 
generating an alias source address for, and remail- 

io ing, an electronic mail message, comprising: 

a system as recited in Claim 9 and 
data transmission circuitry that remails said 
electronic mail message to said destination ad- 
15 dress. 

11 . A method of generating an alias source address for 
an electronic mail message having a real source ad- 
dress and a destination address, comprising the 

20 steps of: 

generating said alias source address based on 
said destination address; and 
substituting said alias source address for said 
25 real source address, wherein said real source 

address is removed from said e-mail message. 

12. The method as recited in Claim 11 wherein said step 
of employing comprises the step of employing a real 

30 source address of said e-mail message and said 
destination address to generate said alias source 
address. 

13. The method as recited in Claim 12 wherein said 
35 step of employing comprises the step of compress- 
ing said real source address to generate said alias 
source address. 

14. The method as recited in any of claims 11 to 13 
40 wherein said step of employing comprises the step 

of employing a secret key to generate said alias 
source address. 

1 5. The method as recited in any of claims 1 1 to 1 4 f ur- 
4$ ther comprising the steps of: 

generating a real source address from said ali- 
as source address; and 
substituting said real source address for said 
so alias source address to allow e-mail directed to 

said alias source address to be routed to said 
real source address thereby to forward said e- 
mail. 

55 16. The method as recited in any of claims 11 to 14 
wherein said alias source address is longer than 
said r al source address. 
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17. The method as recited in any of claims 11 to 14 fur- 
ther comprising the step of filtering incoming reply 
mail based on said alias source address. 

18. An electronic mail message, comprising: s 

a destination address; and 
an alias source address based on said destina- 
tion address. 

70 

19. The message as recited in Claim 18 wherein said 
alias source address is a function of said destination 
address. 

20. The message as recited in Claim 18 wherein said is 
alias source address is further based on a real 
source address of said message. 

21. A system for generating an electronic mail mes- 
sage, said system being arranged to generate a so 
message as recited in any of claims 18 to 20. 

22. The system as recited in Claim 21 wherein said sys- 
tem is embodied as an anonymous remailer. 

25 

23. The system as recited in Claim 21 wherein said sys- 
tem is operable on an e-mail sender's computer. 

24. A method of generating an electronic mail mes- 
sage, said method generating a message as recited 50 
in any of claims 1 8 to 20. 

25. The method as recited in Claim 24 wherein said 
method is carried out in an anonymous remailer. 

35 

26. The method as recited in Claim 24 wherein said 
method is carried out in an e-mail sender's compu- 
ter. 
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